Back to skill

Security audit

Dividend

Security checks across malware telemetry and agentic risk

Overview

This is a local command-line dividend tracker that stores user-entered finance notes on the machine and does not show network, credential, destructive, or deceptive behavior.

Install only if you are comfortable keeping dividend notes, balances, alerts, tax notes, searches, and exports in plaintext files under ~/.local/share/dividend. Avoid entering passwords, account credentials, API keys, or highly sensitive financial details, and delete or protect that directory when the data should no longer be retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that all actions are automatically logged with timestamps, but this privacy-impacting behavior is not clearly surfaced in the high-level description or command warnings. In a personal-finance context, automatic logging can capture sensitive financial activity and search terms, creating confidentiality and retention risks if users are unaware of it.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User-supplied financial data is written persistently to plaintext log files under the home directory without an explicit warning, consent flow, retention policy, or access protections. In a finance-related context, this can expose sensitive personal data to other local processes, backups, shared accounts, or accidental disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The export feature aggregates all recorded finance history into a new plaintext artifact without a strong warning that a portable sensitive file is being created. Exported files increase exposure because they centralize potentially confidential data and are easy to copy, sync, or leak through backups and user sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.